Title
#help
n

Nimit

11/10/2022, 5:47 PM
hi @Charith (Cerbos) noticed a difference between "IsAllowed" and "QueryPlan" .. i have the following 2 policies (base and a scoped) All actions blocked in the base BUT VIEW action allowed in scoped Both resource and principal have the correct scope set. When i try to check for VIEW access using "IsAllowed" i get an ALLOWED .. but using Plan is says BLOCKED As the specs say if the answer can be resolved from the scoped policy, why is the base being queried for plan ? base.yml
apiVersion: <http://api.cerbos.dev/v1|api.cerbos.dev/v1>
resourcePolicy:
resource: interactions
version: default
rules:
- actions:
- "*"
roles:
- poweruser
effect: EFFECT_DENY
scoped.yml
apiVersion: <http://api.cerbos.dev/v1|api.cerbos.dev/v1>
resourcePolicy:
resource: interactions
version: default
rules:
- actions:
- VIEW
roles:
- poweruser
effect: EFFECT_ALLOW
scope: T00101581-3dd4-40b8-a2e3-175624586f85
{
"requestId": "123123",
"principal": {
"id": "123",
"roles": [
"poweruser"
],
"attr": {},
"scope": "T00101581-3dd4-40b8-a2e3-175624586f85"
},
"resources": [
{
"resource": {
"kind": "interactions",
"id": "123",
"scope": "T00101581-3dd4-40b8-a2e3-175624586f85",
"attr": {}
},
"actions": [
"VIEW"
]
}
]
}
Alex Olivier (Cerbos)

Alex Olivier (Cerbos)

11/10/2022, 6:01 PM
Hey the query plan in the playground doesnโ€™t support scopes right now. Do you get the same result when you run the PDP locally?
Charith (Cerbos)

Charith (Cerbos)

11/10/2022, 6:04 PM
Yep, I think it's the Playground. It works locally
cat <<EOF | curl --silent "<http://localhost:3592/api/plan/resources?pretty>" -d @-
{
  "requestId": "query-plan",
  "resource": {
    "kind": "interactions",
    "scope": "T00101581-3dd4-40b8-a2e3-175624586f85"
  },
  "principal": {
    "id": "123",
    "roles": [
      "poweruser"
    ]
  },
  "action": "CREATE",
  "includeMeta": true
}
EOF
{
  "requestId": "query-plan",
  "action": "CREATE",
  "resourceKind": "interactions",
  "filter": {
    "kind": "KIND_ALWAYS_ALLOWED"
  },
  "meta": {
    "filterDebug": "(true)",
    "matchedScope": "T00101581-3dd4-40b8-a2e3-175624586f85"
  }
Alex Olivier (Cerbos)

Alex Olivier (Cerbos)

11/10/2022, 6:05 PM
There is a pending item to add scope - will bump it up the list
n

Nimit

11/10/2022, 7:16 PM
hey guys, in that case i am confused ๐Ÿ˜ž While curl/postman gives ALWAYS_ALLOWED, running the same code in golang and invoking the api "PlanResources" gives a different result, try the following code :
c, err := client.New("localhost:3593", client.WithPlaintext())
if err != nil {
log.Fatalf("Error creating Cerbos client: %v", err)
}
roles := []string{"poweruser"}
resp, err := c.PlanResources(context.Background(),
client.NewPrincipal("123").WithRoles(roles...).WithScope("T00101581-3dd4-40b8-a2e3-175624586f85"),
client.NewResource("interactions", "id").WithScope("T00101581-3dd4-40b8-a2e3-175624586f85"),
"VIEW")
fmt.Println(resp.Filter.Kind)
Charith (Cerbos)

Charith (Cerbos)

11/10/2022, 7:37 PM
Oh it looks like a bug in the Go client. The scope is not being set on the resource ๐Ÿ™. We'll get it fixed ASAP.
n

Nimit

11/10/2022, 7:47 PM
Thanks a lot charith, thought I was loosing my mind ๐Ÿ˜„
Charith (Cerbos)

Charith (Cerbos)

11/11/2022, 8:43 AM
The fix has landed, thanks to @Dennis (Cerbos). It'll take a few days for us to do a release, but, you can use it right away if you don't mind using the
main
branch (
go get <http://github.com/cerbos/cerbos/client@main|github.com/cerbos/cerbos/client@main>
)
n

Nimit

11/11/2022, 8:44 AM
thanks charith/dennis, appreciate the quick turnaround.. will wait for the release ๐Ÿ˜ƒ
1:16 PM
hi @Charith (Cerbos) any plans for a release, imminently ? pls keep me in the loop, thanks
Charith (Cerbos)

Charith (Cerbos)

11/14/2022, 1:43 PM
Hey, we are waiting for another fix that we want to include in the release and it's taking a little longer than expected. Hopefully it will be done this week. If you're in a hurry, it's quite safe to use the SDK from
main
until the next release because we are pretty serious about maintaining backward compatibility.
n

Nimit

11/15/2022, 1:28 PM
hi @Charith (Cerbos) tried pulling in the latest cerbos (from main) and building.. and see this error:

github.com/cerbos/cerbos/internal/observability/logging 119 Error: ../../../go/pkg/mod/github.com/cerbos/cerbos@v0.22.1-0.20221111075933-f61a749212c4/internal/observability/logging/logging.go:101:105: undefined: atomic.Bool120 Error: ../../../go/pkg/mod/github.com/cerbos/cerbos@v0.22.1-0.20221111075933-f61a749212c4/internal/observability/logging/logging.go:120:24: undefined: atomic.Bool121 note: module requires Go 1.19122 Error: Process completed with exit code 2.
Charith (Cerbos)

Charith (Cerbos)

11/15/2022, 1:33 PM
Which version of Go are you on?
n

Nimit

11/15/2022, 1:54 PM
1.18
Charith (Cerbos)

Charith (Cerbos)

11/15/2022, 2:00 PM
I see. I am guessing you can't use the
v0.22.0
SDK either then?
n

Nimit

11/15/2022, 2:01 PM
mm we are on 21 .. and i tried moving to main and had that issue.. havent tried 22 TBH
Charith (Cerbos)

Charith (Cerbos)

11/15/2022, 2:04 PM
Yeah, It looks like we accidentally used a Go 1.19 feature in one of the features we introduced in 0.22. I'll see if it can be reverted back.
n

Nimit

11/15/2022, 2:04 PM
thanks ๐Ÿ™‚
Charith (Cerbos)

Charith (Cerbos)

11/22/2022, 10:56 AM
Hey, if you didn't see the announcement already, we released a new version yesterday that includes the scope fix to the SDK.